ISO 9001:2015 incorporates what the draft version of the International Standard has termed “Risk-based Thinking” in its requirements for the establishment, implementation, maintenance and continual improvement of the quality management system. In the previous version of ISO 9001, a clause on prevention action was separated from the whole. Now the risk is considered and included throughout the standard.

The advantages of risk based audit approach are that the organisations become proactive rather than being purely reactive, preventing the undesired effects and promoting the continual improvements. Prevention setup is automatic when a management system is risk-based.

Every organisation is different working on their SOP’s, different attitude to risk, different process and different language. Experienced internal auditors need to adapt the idea of structure, process and language of their organisation in order to implement risk based internal audit.

If the organisation’s risk management framework is not strong or doesn’t even exist, the management is not ready for the risk based internal audit. Moreover, it gives the impression that the internal control is poor and not working actively. Internal auditors in such an organisation should promote good risk management practice to improve the system of internal control.

What is risk based thinking

Risk-based thinking is something we all do automatically.

  • Example: If I wish to cross a road I look for traffic before I begin. I will not step in front of a moving car.

Risk-based thinking has always been in ISO 9001 – this revision builds it into the whole management system.

In ISO 9001:2015 risks is considered from the beginning and throughout the standard, making preventive action part of strategic planning as well as operation and review.

Risk-based thinking is already part of the process approach

  • Example: To cross the road I may go directly or I may use a nearby footbridge. Which process I choose will be determined by considering the risks.

Risk is commonly understood to be negative; however in risk-based thinking opportunity can also be found which is sometimes seen as the positive side of risk

  • Example: Crossing the road directly gives me an opportunity to reach the other side quickly, but there is an increased risk of injury from moving cars. The risk of using a footbridge is that I may be delayed. The opportunity of using a footbridge is that there is less chance of being injured by a car.

Lets continue and look at the advantages of risk based audit approach.

Advantages of Risk Based Audit Approach

Risk based audit approach builds on an approach which is focusing more on the areas of the highest risk to the organisation and then uses a different starting point: business objectives rather than controls. Of course the audit itself is a risk based activity and the auditor is risk assessing when sampling. If I am an auditor and I examine 10% of a given set of records to obtain sufficient and reliable evidence for conformance, my risk assessment as an auditor is that I am prepared to risk that the other 90% unseen by me likely are conforming.

At the end of the day, we are dealing with the quality assurance. With the set of audit criteria, audit decision provides assurance on the degree of conformance. When you hold up you ISO 9001 certificate, it gives your consumer the assurance of quality and that you are working in accordance with the set standards of ISO 9001. It is so value-adding because it can evaluate if the processes within the system are operating efficiently and effectively. It can show:

  • Where double handling takes place.
  • Where unnecessary steps are included.
  • Where critical steps are missed out.
  • Where equipment and machinery are not operating as they should or enhancing the process
  • Where operators have not been fully inducted, briefed or trained.
  • Where there are inadequate work instructions to work with.
  • Where vital inspection and test activities have been missed out, or are failing to do what is required of them.

The identification of these question leads to the solution of the problem. You can never fix what you don’t know is broken. You can never improve if you cannot measure and further more you cannot decide what the most important priority is without identifying the consequences of not doing it – i.e. the risk!

By pointing out the problem, it would be easier to find a solution to it.

If you are interested in outsourcing your internal audit function and get the advantages of risk based audit approach, please contact us for a free quote.